Method and apparatus for distributing data packets to multiple network addresses

ABSTRACT

A network device for transferring a data packet from a source address to a destination address is provided. The network device includes a plurality of network addresses for indicating locations of a plurality of network processing units, and further including a data packet distributing unit for transferring a data packet to the network processing units in sequence by replacing a destination address of the data packet with the network addresses. The data packet distributing unit performs the actions of determining whether the data packet has been transferred to each of the network processing units, transferring the data packet to a network processing unit after replacing the destination address of the data packet with a corresponding network address if the data packet has not been transferred to the network processing unit, and outputting the data packet if the data packet has been transferred to each of the processing units.

RELATED UNITED STATES PATENT APPLICATION

This application is a Continuation Application of the co-pending, commonly-owned U.S. patent pplication with Attorney Docket No. O-001.P015/0357, Ser. No. 11/602,669, filed on Nov. 21, 2006, by Zhiming Wang, and entitled “Method and apparatus for distributing data packets by using multi-network address translation”.

FIELD OF THE INVENTION

The invention relates to network, and in particular, to a network device for distributing data packets to multiple network addresses.

BACKGROUND OF THE INVENTION

NAT is a process for translation of IP address. It enables a local-area network (LAN) to use a first set of network addresses for internal traffic and a second set of network addresses for external traffic. A network device that is capable of performing NAT operations is located preferably where a LAN meets a wide area network (WAN). The most commonly used network address is based on the Internet Protocol, the IP address. The first set of IP addresses for internal traffic can be reused in many different LANs and are not unique. The second set of IP addresses for external traffic are unique and can not be reused by other networks. Each of the first set of IP addresses is assigned to a host in the LAN. Therefore, when a first host in a LAN intends to communicate with a second host on the Internet, it first transmits packets to a network device that is capable of performing NAT operations. In the IP header of each packet, there is a source address and a destination address. The source address is one of the first set of addresses that is assigned to the host and cannot be used outside the LAN. Therefore, in order to transmit the data packet to its destination address, the network device replaces the source address with an address from the second set of addresses which can be used for external communication. The operation of replacing the source address of the packet with an address from the second set of addresses is part of the NAT process. After the NAT, the resulting source address of the packet can be uniquely used for external traffic, such as Internet communication.

Nowadays, many network devices such as routers, firewalls, and ISDN routers are capable of performing NAT operations. All these devices employ only one NAT operation to transfer a data packet from a source address to a destination address.

With the rapid development of information technology, the functions provided by network devices are becoming more and more powerful and sophisticated. In today's network devices, besides basic functions, such as routing, many other functions or processing procedures, such as content-filtering, anti-virus, encryption, decryption and anti-spam, can be provided. These additional functions can be accomplished either in one processing unit or in many processing units. Performing some of the functions or processing procedures, such as an anti-virus processing procedure, is very complicated and time-consuming. To solve the problem, these additional processing procedures are usually executed by different processing units. A CPU in the network device is used to distribute data packets to different processing units for processing. However, this distribution method results in a huge consumption of the CPU resource. Thus, the above-mentioned method greatly limits the system performance.

To solve this problem many solutions, such as using a more powerful CPU, providing extra hardware, and employing software implementation, have been proposed. However, the use of powerful CPU, extra hardware, or extra software implementation increases the system complexity and cost.

Therefore, it is to an improved solution that is capable of transmitting data packets to various network processing units without increasing the cost and system complexity that the present invention primarily directs.

SUMMARY OF THE INVENTION

The present invention provides a network device that employs multiple NAT operations to transmit data packets to various network processing units. Since the NAT is a standard function of many network devices, the present invention is capable of transferring data packets to various network processing units according to system requirement without extra CPU or software operation. Consequently, system complexity and the cost can be reduced.

In one embodiment of the invention, there is provided a network device including a plurality of network addresses for indicating locations of a plurality of network processing units, and further including a data packet distributing unit for transferring a data packet to the network processing units in sequence by replacing a destination address of the data packet with the network addresses. The data packet distributing unit performs the actions of determining whether the data packet has been transferred to each of the network processing units, transferring the data packet to a network processing unit after replacing the destination address of the data packet with a corresponding network address if the data packet has not been transferred to the network processing unit, and outputting the data packet if the data packet has been transferred to each of the processing units.

In another embodiment of the invention, there is also provided a network system including a plurality of network processing units for executing a plurality of predefined procedures on a data packet, and further including a data packet distributor coupled to the network processing units for transferring the data packet to the network processing units in sequence by replacing an destination address of the data packet with a plurality of network addresses for indicating locations of the network processing units respectively. The data packet distributor performs the actions of determining whether the data packet has been transferred to each of the network processing units, transferring the data packet to a network processing unit after replacing the destination address of the data packet with a corresponding network address if the data packet has not been transferred to the processing unit, and outputting the data packet if the data packet has been transferred to each of the processing units.

In yet another embodiment of the invention, there is also provided a method for distributing a data packet to a plurality of network processing units in sequence for processing. The method includes determining at a data packet distributing unit whether the data packet has been transferred to each of the network processing units. If the data packet has not been transferred to a network processing unit, the data packet distributing unit operates the steps of replacing a destination address of the data packet with a network address indicating a location of the network processing unit at the data packet distributing unit, and transferring the data packet from the data packet distributing unit to the network processing unit according to the destination address. If the data packet has been transferred to each of the processing units, the data packet distributing unit outputs the data packet.

BRIEF DESCRIPTION OF THE DRAWINGS

Features and advantages of embodiments of the invention will become apparent as the following Detailed Description proceeds, and upon reference to the Drawings, where like numerals depict like elements, and in which:

FIG. 1 illustrates an exemplary topology of a network distributor for transferring a data packet from a source address to a destination address according to the invention.

FIG. 2 illustrates an exemplary flow chart of a method of using multiple NAT operations to transfer a data packet from a source address to a destination address.

DETAILED DESCRIPTION OF THE INVENTION

FIG. 1 illustrates an exemplary topology of a network device for transferring a data packet from a source address to a destination address. In general, a network device, e.g., a data packets distributor 102, is in communication with a first network 1 100 and a second network 2 104. The data packets distributor 102 is capable of receiving data packets from either network 1 100 or network 2 104. The data packets distributor 102 also includes a data packet distributing unit 106 and a plurality of network addresses. Each network address indicates an address of an external data packets processing unit, such as P1 108, P2 110 . . . or Pn 112 as shown in FIG. 1. The data packet distributing unit 106 is further in communication with a plurality of external data packets processing units P1 108, P2 110 . . . Pn 112. As mentioned above, each of the plurality of external network processing units P1 108, P2 110 . . . Pn 112 is assigned a unique network address. The plurality of network addresses can be either statically or dynamically mapped to the plurality of processing units P1 108, P2 110 . . . Pn 112. Each of the plurality of processing units P1 108, P2 110 . . . Pn 112 is capable of performing at least one special processing procedure, such as content-filtering, anti-virus, encryption, decryption anti-spam, etc. The data packet distributing unit 106 is further capable of determining which processing unit the data packet needs to be transferred to.

The data packets distributor 102 is capable of receiving data packets from either the network 1 100 or the network 2 104. When the network 1 100 transfers a data packet that has a source address and a destination address to the network 2 104, the data packet is received at the data packets distributor 102. At the data packet distributing unit 106 of the data packets distributor 102, the destination address of the data packet is replaced by a first network address that indicates a location of a certain network processing unit (e,g, P1 108) among P1 108, P2 110 . . . Pn 112. Replacing the destination address with the first network address is referred to as a first NAT operation herein. According to the first network address, the data packet is transferred to P1 108. At P1 108, the data packet is processed, according to some of the procedures that executed by the P1 108, such as content-filtering, anti-virus, encryption, decryption anti-spam, etc. After processing, the data packet is transferred back to the data packet distributing unit 106 from P1 108.

After the processed data packet is received at data packet distributing unit 106, the data packet distributing unit 106 checks whether the data packet needs to be transferred to other processing units for further processing. If further processing procedure is required, the data packet distributing unit 106 may replaces the destination address of the data packet with a second network address that indicates a second processing unit among the plurality of processing units P1 108, P2 110 . . . Pn 112 and transmits the data packet to the second processing unit for further processing. Replacing the destination address with the second network address is also a NAT.

When the data packet distributing unit 106 detects that the data packet has been transferred to all the processing units it needs to be transferred to, the data packet distributing unit 106 may replace the current destination address of the data packet with its original destination address (a predefined address). Finally, the data packet is transmitted to the network 2 104. Replacing the second network address with the destination address is referred to as a second NAT herein.

It is appreciated by those skilled in the art that the in the aforementioned embodiment of the invention, the data packets distributor 102 employs multiple NAT operations that contains at least two NAT operations to transfer the data packet from its source address to its destination address. In the course of distributing the data packet, the concept of NAT is employed and no CPU or software is involved. Therefore, the goal of a reduced cost and system complexity can be achieved.

For some special processing procedures, such as content-filtering, anti-spam and anti-virus, the associated processing units that handle the special processing procedures may check whether the data packet meets security requirements and transmission requirements. If the associated processing units detect that a data packet does not comply with the system security requirement, such as containing some virus, it may drop the data packet and log the dropping of the data packet. If any processing unit among P1 108, P2 110 . . . Pn 112, drops the data packet, the transmission of the data packet stops.

FIG. 2 illustrates an exemplary flow chart of a method for using multiple NAT operations to transfer a data packet from a source address indicative of a first location to a destination address indicative of a second location. The method includes, receiving a data packet indicative of the first location at a data packet distributing unit, step 202, transferring the data packet from the data packet distributing unit to a processing unit by employing a first NAT operation, step 204, processing the data packet at the processing unit, step 206. The method further includes detecting at the processing unit whether the data packet has fulfilled system requirements, step 208, forwarding the processed packet back to the data packet distributing unit if the data packet has fulfilled the system requirements, step 210, dropping the processed packet if the data packet has not fulfilled the system requirements, step 216, receiving the data packet at the data distributing unit, step 212, and transferring the processed data packet from the data packet distributing unit to the destination address indicative of said second location by using a second NAT operation, step 214.

The terms and expressions which have been employed herein are used as terms of description and not of limitation, and there is no intention, in the use of such terms and expressions, of excluding any equivalents of the features shown and described (or portions thereof), and it is recognized that various modifications are possible within the scope of the claims. Other modifications, variations, and alternatives are also possible. Accordingly, the claims are intended to cover all such equivalents. 

1-11. (canceled)
 12. A network device comprising: a plurality of network addresses for indicating locations of a plurality of network processing units; and a data packet distributing unit for transferring a data packet to said network processing units in sequence by replacing a destination address of said data packet with said network addresses, wherein said data packet distributing unit performs the following actions: determining whether said data packet has been transferred to each of said network processing units; transferring said data packet to a network processing unit after replacing said destination address of said data packet with a corresponding network address if said data packet has not been transferred to said network processing unit; and outputting said data packet if said data packet has been transferred to each of said processing units.
 13. The network device of claim 12, wherein said data packet distributing unit further selects a set of network processing units from said network processing units after receiving said data packet and transfers said data packet to said set of network processing units in sequence by replacing said destination address of said data packet with a corresponding set of said network addresses.
 14. The network device of claim 12, wherein said data packet distributing unit receives said data packet from a source address.
 15. The network device of claim 12, wherein said data packet distributing unit further forwards said data packet to a predefined address after replacing said destination address of said data packet with said predefined address if said data packet has been transferred to each of said network processing units.
 16. The network device of claim 12, wherein each network processing unit executes a predefined procedure on said data packet after receiving said data packet from said data packet distributing unit and sends said data packet back to said data packet distributing unit after completing said execution of said predefined procedure on said data packet.
 17. The network device of claim 12, wherein, when said data packet distributing unit selectively transfers said data packet to a next network processing unit which said data packet has not been transferred to after receiving said data packet from a previous network processing unit.
 18. The network device of claim 12, wherein, when a network processing unit detects that said data packet is unqualified, said network processing unit drops said data packet and said data packet distributing unit stops transferring said data packet to said network processing units.
 19. A network system, comprising: a plurality of network processing units for executing a plurality of predefined procedures on a data packet; and a data packet distributor coupled to said network processing units for transferring said data packet to said network processing units in sequence by replacing an destination address of said data packet with a plurality of network addresses for indicating locations of said network processing units respectively, wherein said data packet distributor performs the following actions: determining whether said data packet has been transferred to each of said network processing units; transferring said data packet to a network processing unit after replacing said destination address of said data packet with a corresponding network address if said data packet has not been transferred to said processing unit; and outputting said data packet if said data packet has been transferred to each of said processing units.
 20. The network system of claim 19, wherein said data packet distributor further selects a set of network processing units from said network processing units after receiving said data packet and transfers said data packet to said set of network processing units in sequence by replacing said destination address of said data packet with a corresponding set of said network addresses.
 21. The network system of claim 19, wherein said data packet distributor receives said data packet from a source address.
 22. The network system of claim 19, wherein said data packet distributor further forwards said data packet to a predefined address after replacing said destination address of said data packet with said predefined address if said data packet has been transferred to each of said network processing units.
 23. The network system of claim 19, wherein each of said network processing units processes said data packet after receiving said data packet from said data packet distributor and sends said data packet back to said data packet distributor after completing said process on said data packet.
 24. The network system of claim 19, wherein said data packet distributor selectively transfers said data packet to a next network processing unit which said data packet has not been transferred to after receiving said data packet from a previous network processing unit.
 25. The network system of claim 19, wherein, when a network processing unit detects that said data packet is unqualified, said network processing unit drops said data packet and said data packet distributor stops transferring said data packet to said network processing units.
 26. A method for distributing a data packet to a plurality of network processing units in sequence for processing, comprising the steps of: determining at a data packet distributing unit whether said data packet has been transferred to each of said network processing units; if said data packet has not been transferred to a network processing unit, said data packet distributing unit operates the steps of: replacing a destination address of said data packet with a network address indicating a location of said network processing unit at said data packet distributing unit; and transferring said data packet from said data packet distributing unit to said network processing unit according to said destination address; and if said data packet has been transferred to each of said processing units, outputting said data packet from said data packet distributing unit.
 27. The method of claim 26, further comprising the steps of: selecting at said data packet distributing unit a set of network processing units from said network processing units after receiving said data packet; and transferring said data packet from said data packet distributing unit to said set of network processing units in sequence by replacing said destination address of said data packet with a corresponding set of said network addresses.
 28. The method of claim 26, further comprising the step of: receiving said data packet at said data packet distributing unit from a source address.
 29. The method of claim 26, wherein, the step of outputting said data packet from said data packet distributing unit further comprises the steps of: replacing said destination address of said data packet with a predefined address at said data packet distributing unit; and forwarding said data packet from said data packet distributing unit to said predefined address.
 30. The method of claim 26, further comprising the steps of: processing said data packet at each of said network processing units after receiving said data packet from said data packet distributing unit; and sending said data packet back to said data packet distributing unit after completing said process on said data packet.
 31. The method of claim 26, further comprising the step of: selectively transferring said data packet from said data packet distributing unit to a next network processing unit which said data packet has not been transferred to after receiving said data packet at said data packet distributing unit from a previous network processing unit.
 32. The method of claim 26, further comprising the step of: dropping said data packet and stopping transferring said data packet to said network processing units if a network processing unit detects said data packet is unqualified. 